[ActiveDir] Control Delgation
I have two users in the Account Operators group. I delegated full control for AD Sites and Services. I want to allow them to have the ability to manually force DC replications. They are getting an Access Denied when they tried to force replication. Where else did I not do correctly? Thanks, Z.V.
RE: [ActiveDir] _gc and _ldap SRV records
Title: [ActiveDir] _gc and _ldap SRV records So reading this am I correct in this interpretation? I should remove the _msdcs domain from xyz.root and instead create a new zone called _msdcs, cycle netlogon to force registration of records? :m:dsm:cci:mvp From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, July 28, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _gc and _ldap SRV records Each DNS zone representing an AD domain has a _MSDCS DNS subdomain. All DCs register belonging to a certain domain register their DNS domain wide records in their own _MSDCS DNS subdomain. However each DC and GC also register forest wide records (e.g. CNAME and _GC, etc). It is a best practice to create a separate DNS zone for _MSDCS.ForestRootDomain.tld. In W2K3 it is also a best-practice to set the replication scope for that zone to all DCs with DNS in the forest. In W2K this is not possible so in the forest root domain make the zone AD-I and for the DNS servers in the other domains in the forest create a secondary zone of this zone. And yes, assuming replication is complete all the records in the _MSDCS.ForestRootDomain.tld zone should be on each DNS server that hosts this zone Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Thu 7/28/2005 8:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _gc and _ldap SRV records A question about DNS SRV records for my DCs and Global Catalog servers...should every AD-integrated DNS server in my entire forest have _gc and _ldap records for every GC and DC in the forest? It looks like the records listed vary from one domain to another in my DNS, and I wonder if they should all have the same records regardless of the forest domain the DNS server is in Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] Control Delgation
Hi From a search in the acctivedir archives with the key words Replication Delegating, you'll find Jorge's answer for delegating replicaton to a non-admin user. From the delegation wp: Replication Management Tasks Force replication between two servers Extended right Replication Synchronization needed on cn=configuration, dc=forestRootDomain Force a synchronization between two servers Extended right Replication Synchronization needed on cn=configuration, dc=forestRootDomain Cheers, #JORGE# Cheers Yann De: [EMAIL PROTECTED] de la part de Za Vue Date: ven. 29/07/2005 15:14 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Control Delgation I have two users in the Account Operators group. I delegated full control for AD Sites and Services. I want to allow them to have the ability to manually force DC replications. They are getting an Access Denied when they tried to force replication. Where else did I not do correctly? Thanks, Z.V. winmail.dat
[ActiveDir] OT: MIIS, ADAM, AD
We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A firstglance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM "proxy users" leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section as to why. Unfortunately, the next section doesn't explain why not to use them. Anybody know why proxy user objects are evil? Are there any good "MIIS for dummies" type documentation around? Any good ADAM and/or MIIS mailing lists?
RE: [ActiveDir] _gc and _ldap SRV records
creating a separate zone for _MSDCS.ForestRootDomain.tld is especially interesting in multiple domain forests. In single domain forests it is not needed as all DCs in the domain with DNS already get the info through the zone ForestRootDomain.tld. Although not needed I always configure a separate zone for _MSDCS.ForestRootDomain.tld if someone for some reason wants to create an additional domain in the forest #JORGE# From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 7/29/2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _gc and _ldap SRV records So reading this... am I correct in this interpretation? I should remove the _msdcs domain from xyz.root and instead create a new zone called _msdcs, cycle netlogon to force registration of records? :m:dsm:cci:mvp From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, July 28, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _gc and _ldap SRV records Each DNS zone representing an AD domain has a _MSDCS DNS subdomain. All DCs register belonging to a certain domain register their DNS domain wide records in their own _MSDCS DNS subdomain. However each DC and GC also register forest wide records (e.g. CNAME and _GC, etc). It is a best practice to create a separate DNS zone for _MSDCS.ForestRootDomain.tld. In W2K3 it is also a best-practice to set the replication scope for that zone to all DCs with DNS in the forest. In W2K this is not possible so in the forest root domain make the zone AD-I and for the DNS servers in the other domains in the forest create a secondary zone of this zone. And yes, assuming replication is complete all the records in the _MSDCS.ForestRootDomain.tld zone should be on each DNS server that hosts this zone Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Thu 7/28/2005 8:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _gc and _ldap SRV records A question about DNS SRV records for my DCs and Global Catalog servers...should every AD-integrated DNS server in my entire forest have _gc and _ldap records for every GC and DC in the forest? It looks like the records listed vary from one domain to another in my DNS, and I wonder if they should all have the same records regardless of the forest domain the DNS server is in Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. inline: winmail.dat
RE: [ActiveDir] Control Delgation
grin yep... that is what I would have said../grin ;-)) #JORGE# From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Fri 7/29/2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Control Delgation Hi From a search in the acctivedir archives with the key words Replication Delegating, you'll find Jorge's answer for delegating replicaton to a non-admin user. From the delegation wp: Replication Management Tasks Force replication between two servers Extended right Replication Synchronization needed on cn=configuration, dc=forestRootDomain Force a synchronization between two servers Extended right Replication Synchronization needed on cn=configuration, dc=forestRootDomain Cheers, #JORGE# Cheers Yann De: [EMAIL PROTECTED] de la part de Za Vue Date: ven. 29/07/2005 15:14 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Control Delgation I have two users in the Account Operators group. I delegated full control for AD Sites and Services. I want to allow them to have the ability to manually force DC replications. They are getting an Access Denied when they tried to force replication. Where else did I not do correctly? Thanks, Z.V. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. inline: winmail.dat
[ActiveDir] Security Groups vs. Distribution Groups
We are running 2000 AD. I have two groups named the same. One group is a security group and one is a distribution. They are in different OU's. Can having a Management security group cause some type of issue with a Management Distribution group in ad? The Management distirbution group will change to a security group. Could it be becase they have the same name? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DCPromo Answer file....no DNS.
Title: DCPromo Answer fileno DNS. Hii All, I have set up a Win2K domain (single DC, SP3) and have joined a Win2K3 member server. I have promoted the W2K3 Member server using a dcpromo answer file, but cannot seem to force it to install DNS. Any ideas ?? Brad PS: Answer file below. ;This file is an answer file for the DCPromo process. The answers held within this file will automatically be applied to ;all DC's that are created with the DCPromo /answer:filename where this file is used. ;More information about these and additional settings are available at the link below, or in the Deployment assistence ;guide that stored in the windows server 2003 install source\SUPPORT\TOOLS\DELPOY.CAB\REF.CHM ;http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/b7a68c24-fe69-407a-b220-0005ad1f884d.mspx [DCInstall] ;Specifies whether any pre-Windows 2000 server authenticates users from this domain or any trusted domain. AllowAnonymousAccess = Yes ;Specifies whether the DCPROMO wizard configures DNS for the new domain if it detects that the DNS dynamic update protocol is not available. AutoConfigDNS = Yes ;Specifies whether the replica is also a global catalog. ConfirmGc = Yes ;Specifies whether the promotion operation performs only critical replication and then continues, skipping the noncritical (and potentially lengthy) portion of replication. CriticalReplicationOnly = No ;Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain database. DatabasePath = %SYSTEMROOT%\Data ;Specifies whether to disable the Cancel button during a DNS installation. DisableCancelForDnsInstall = Yes ;Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that contains the domain log files. LogPath = $SYSTEMROOT%\Logs ;Specifies whether to restart the computer upon successful completion. RebootOnSuccess = Yes ;Specifies the DNS domain name of the domain to replicate. ReplicaDomainDNSName = 1234testdomain.com ;Specifies whether to install a new domain controller as the first domain controller in a new directory service domain or to install it as a replica directory service domain controller. ReplicaOrNewDomain = Replica ;Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer. SysVolPath = %SYSTEMDRIVE%\Sysvol ;Specifies the domain name for the user name (account credentials) used for promoting the member server to a domain controller. UserDomain = 1234testdomain.com ;Specifies the user name (account credentials) used for promoting the member server to a domain controller. UserName = administrator This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.
RE: [ActiveDir] Security Groups vs. Distribution Groups
It shouldn't cause you a problem. The reason is because they don't have the same name other than the displayname. Everything else should be different. Al From: [EMAIL PROTECTED] on behalf of Christine Allen Sent: Fri 7/29/2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Groups vs. Distribution Groups We are running 2000 AD. I have two groups named the same. One group is a security group and one is a distribution. They are in different OU's. Can having a Management security group cause some type of issue with a Management Distribution group in ad? The Management distirbution group will change to a security group. Could it be becase they have the same name? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Event Log Question
Here is the link. http://www.goatstore.com/eventlogs.zip Thanks, Charlie -Original Message- From: Carerros, Charles [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 27, 2005 9:26 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Event Log Question With the number of people who have asked for this script, I'll post it on a web server late tonight and send out its link tomorrow. Charlie -Original Message- From: Carerros, Charles [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 27, 2005 9:00 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Event Log Question That looks like it is exactly what I need. Thanks. Charlie -Original Message- From: John Singler [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 27, 2005 8:55 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Event Log Question Lots of options here but one that i have been fond of is logparser. The latest version is 2.2.10 and get be DL'd from: http://www.microsoft.com/downloads/details.aspx?FamilyID=890cd06b-abf8-4c25- 91b2-f8d975cf8c07displaylang=en The support forum at www.logparser.com is great - the author chimes in daily. an example script that searches for the creation of user accounts: logparser.exe SELECT TimeWritten,ComputerName, EXTRACT_TOKEN(Strings,0, '|') AS NewAcctName, EXTRACT_TOKEN(Strings,3, '|') AS CallerName FROM d:\logs\eventlog.evt WHERE EventID IN (624) ORDER BY TimeWritten DESC -o:NAT -rtp:-1 -filemode:0 should get you something like: TimeWritten ComputerName NewAcctName CallerName --- --- -- 2005-01-28 08:41:16 DC1 userjoe admin 2005-01-28 08:15:50 DC1 userdean admin 2005-01-26 14:05:23 DC1 useral admin 2005-01-25 16:52:29 DC1 usertony admin Statistics: --- Elements processed: 1257597 Elements output:4 Execution time: 64.31 seconds (00:01:4.31) finally, logparser handles many types of inputs (IISW3C, IIS, BIN, IISODBC, HTTPERR, URLSCAN, CSV, TSV, XML, W3C, NCSA, TEXTLINE, TEXTWORD, EVT, FS (files and directories), REG, ADS (info on Active Directory objects), NETMON, ETW, COM) and outputs (NAT, CSV, TSV, XML, W3C, TPL, IIS, SQl, SYSLOG, DATAGRID, CHART) which allows you get creative with data mining. hth, john Carerros, Charles wrote: I am using a script to pull all of my event logs from all of my servers (both local and remote) and saving them off as .evt files at my location. I was wondering if anyone has a script that I can use to go through these files to pull only the critical errors? I have looked at using Event Comb to do this, but it seems like Event Comb only scans through current event logs not those that are saved off to another location. The end result I'm looking for is a way to create some stats on the number of errors and warnings I receive per server and over all. I want to bring some attention to these errors so I can get some additional resources in resolving them as well as putting just the errors in one place to help speed up the process of reviewing them. I have seen a few scripts that do this type of thing but all of those are based on the current event logs not archived copies of the database. In the end, I might just end up changing the time that I run my archive script and run another script prior to that which might help me to gain my statistics. Any suggestions Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] _gc and _ldap SRV records
Title: [ActiveDir] _gc and _ldap SRV records Whats the difference or adverse affects of just making a secondary copy of the root domain zone on every dns server in a multi domain forest as that zone contains the _MSDC.forestrootdomaim zone instead of partitioning just the _MSDC zone? Also, how do you do that in win2k because windows dns doesn't seem to treat _MSDC as a "real" zone file or domain but like a subfolder? Thanks -Original Message-From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED]On Behalf Of Almeida Pinto, Jorge deSent: Friday, July 29, 2005 10:13 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _gc and _ldap SRV records creating a separate zone for _MSDCS.ForestRootDomain.tld is especially interesting in multiple domain forests. In single domain forests it is not needed as all DCs in the domain with DNS already get the info through the zone ForestRootDomain.tld. Although not needed I always configure a separate zone for _MSDCS.ForestRootDomain.tld if someone for some reason wants to create an additional domain in the forest #JORGE# From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]Sent: Fri 7/29/2005 3:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _gc and _ldap SRV records So reading this am I correct in this interpretation? I should remove the _msdcs domain from xyz.root and instead create a new zone called _msdcs, cycle netlogon to force registration of records? :m:dsm:cci:mvp From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Thursday, July 28, 2005 3:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] _gc and _ldap SRV records Each DNS zone representing an AD domain has a _MSDCS DNS subdomain. All DCs register belonging to a certain domain register their DNS domain wide records in their own _MSDCS DNS subdomain. However each DC and GC also register forest wide records (e.g. CNAME and _GC, etc). It is a best practice to create a separate DNS zone for _MSDCS.ForestRootDomain.tld. In W2K3 it is also a best-practice to set the replication scope for that zone to all DCs with DNS in the forest. In W2K this is not possible so in the forest root domain make the zone AD-I and for the DNS servers in the other domains in the forest create a secondary zone of this zone. And yes, assuming replication is complete all the records in the _MSDCS.ForestRootDomain.tld zone should be on each DNS server that hosts this zone Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Creamer, MarkSent: Thu 7/28/2005 8:52 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] _gc and _ldap SRV records A question about DNS SRV records for my DCs and Global Catalog servers...should every AD-integrated DNS server in my entire forest have _gc and _ldap records for every GC and DC in the forest? It looks like the records listed vary from one domain to another in my DNS, and I wonder if they should all have the same records regardless of the forest domain the DNS server is in Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] UDP vs TCP
Hi, Does anyone know if its possible to tweak a domain controller so that authentication requests from a client that exceed 2000 bytes (not sure if thats the default for Windows 2000 domains XP) may be authenitcated by the DC. I know its possible with a regisrty hack on the client by either bumping that value or telling the client to just use TCP. We have a SOHO situation that utilizes Nortel VPN appliances and hence the authentication issue. This is a temporary location but in our business this is a frequent request. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] OT: MIIS, ADAM, AD
Hello, We use MIIS 2003 to synchronise users identity between AD2003, openldap, Oracle 9i, and that works pretty good. MIIS includes preintegrated directory to manage such as ADAM, novell edirectory, Active Directory, DSML, Oracle 9i, and many more called Management Agents (MA) or connectors. With the MIIS 2003 Sp1, u could easily synchronize users passwords between differents directories but always in the way below: -- User password changes (via MMC ADUC, ctrl+alt+Del, web) are detected by AD 20003 DCs, these changes are pushed to your MIIS server which pushes passwords to your configured Directories: in your case ADAM. And that works great ! All passwords are crypted between synchronisations. BUT MIIS have those inconvenients: 1) It costs . The price is per processor (~12000 euros/processor pretty equivalent to 1 dollars/processors). 2) u must have very good knowledge in dev. : VB.net and c# are the dev environnement for MIIS. These links will help u to better understand the product. Yahoo newsgroup: http://groups.yahoo.com/group/MMSUG/ u have to sing in in before. http://www.activeidm.com/servlet/constructor.includeHTTP?iwebsiteID=8627isectionTypeID=1isectionID=43519 http://www.microsoft.com/windowsserversystem/miis2003/support/default.mspx A MS tutorial: http://www.microsoft.com/downloads/details.aspx?FamilyId=DADC5021-222B-4AF7-8C58-2227C358756Fdisplaylang=en#filelist ...and a good practice on how configure MIIS to synchronize with ADAM, but it is in french .. :( http://www.techheadbrothers.com/DesktopDefault.aspx?tabindex=1tabid=7CatId=6 see MIIS pas à pas, Partie 1/3 MIIS pas à pas, Partie 2/3 and MIIS pas à pas, Partie 3/3 A good webcast about the MMS which is the old version, but a good presentation of how MIIS works http://support.microsoft.com/default.aspx?kbid=324572 I do not know what is ADAM proxy users and how u can use it to achieve your goal. Maybe someone in this could help u... Good luck :) Cheers, Yann De: [EMAIL PROTECTED] de la part de Ken Cornetet Date: ven. 29/07/2005 16:03 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] OT: MIIS, ADAM, AD We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A first glance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM proxy users leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section as to why. Unfortunately, the next section doesn't explain why not to use them. Anybody know why proxy user objects are evil? Are there any good MIIS for dummies type documentation around? Any good ADAM and/or MIIS mailing lists? winmail.dat
RE: [ActiveDir] UDP vs TCP
We just push this registry setting out to all of our workstations: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parame ters] MaxPacketSize=dword:0001 This forces all kerberos traffic to use TCP. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, July 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] UDP vs TCP Hi, Does anyone know if its possible to tweak a domain controller so that authentication requests from a client that exceed 2000 bytes (not sure if thats the default for Windows 2000 domains XP) may be authenitcated by the DC. I know its possible with a regisrty hack on the client by either bumping that value or telling the client to just use TCP. We have a SOHO situation that utilizes Nortel VPN appliances and hence the authentication issue. This is a temporary location but in our business this is a frequent request. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] UDP vs TCP
Devan, I'm still poking around for a more authoritative answer, but I don't believe that there is a 'server side' setting for changing that behavior. To really understand why, think about who needs to authenticate with who. It's not the server starting the conversation ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, July 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] UDP vs TCP Hi, Does anyone know if its possible to tweak a domain controller so that authentication requests from a client that exceed 2000 bytes (not sure if thats the default for Windows 2000 domains XP) may be authenitcated by the DC. I know its possible with a regisrty hack on the client by either bumping that value or telling the client to just use TCP. We have a SOHO situation that utilizes Nortel VPN appliances and hence the authentication issue. This is a temporary location but in our business this is a frequent request. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] UDP vs TCP
Hi Rick, I absolutely agree but I was hoping there was a way to set this variable on the server side. Worse scenario this may have to be tweaked client-side. By forcing these clients to authenticate using TCP does it add latency to the authentication process when they return to their home offices? Hmm, perhaps when you start with MCS and have access to their knowledge DB you could look this up for me, heheh... Thanks, Original Message Follows From: Rick Kingslan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UDP vs TCP Date: Fri, 29 Jul 2005 11:06:22 -0500 Devan, I'm still poking around for a more authoritative answer, but I don't believe that there is a 'server side' setting for changing that behavior. To really understand why, think about who needs to authenticate with who. It's not the server starting the conversation ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, July 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] UDP vs TCP Hi, Does anyone know if its possible to tweak a domain controller so that authentication requests from a client that exceed 2000 bytes (not sure if thats the default for Windows 2000 domains XP) may be authenitcated by the DC. I know its possible with a regisrty hack on the client by either bumping that value or telling the client to just use TCP. We have a SOHO situation that utilizes Nortel VPN appliances and hence the authentication issue. This is a temporary location but in our business this is a frequent request. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] UDP vs TCP
No latency. Like I said, we just push that registry setting out to all users. I've never seen a difference when logging in. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, July 29, 2005 11:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UDP vs TCP Hi Rick, I absolutely agree but I was hoping there was a way to set this variable on the server side. Worse scenario this may have to be tweaked client-side. By forcing these clients to authenticate using TCP does it add latency to the authentication process when they return to their home offices? Hmm, perhaps when you start with MCS and have access to their knowledge DB you could look this up for me, heheh... Thanks, Original Message Follows From: Rick Kingslan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UDP vs TCP Date: Fri, 29 Jul 2005 11:06:22 -0500 Devan, I'm still poking around for a more authoritative answer, but I don't believe that there is a 'server side' setting for changing that behavior. To really understand why, think about who needs to authenticate with who. It's not the server starting the conversation ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, July 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] UDP vs TCP Hi, Does anyone know if its possible to tweak a domain controller so that authentication requests from a client that exceed 2000 bytes (not sure if thats the default for Windows 2000 domains XP) may be authenitcated by the DC. I know its possible with a regisrty hack on the client by either bumping that value or telling the client to just use TCP. We have a SOHO situation that utilizes Nortel VPN appliances and hence the authentication issue. This is a temporary location but in our business this is a frequent request. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] UDP vs TCP
Cool, Thanks Firefox - Rediscover the web Original Message Follows From: Ken Cornetet [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UDP vs TCP Date: Fri, 29 Jul 2005 11:32:31 -0500 No latency. Like I said, we just push that registry setting out to all users. I've never seen a difference when logging in. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, July 29, 2005 11:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UDP vs TCP Hi Rick, I absolutely agree but I was hoping there was a way to set this variable on the server side. Worse scenario this may have to be tweaked client-side. By forcing these clients to authenticate using TCP does it add latency to the authentication process when they return to their home offices? Hmm, perhaps when you start with MCS and have access to their knowledge DB you could look this up for me, heheh... Thanks, Original Message Follows From: Rick Kingslan [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] UDP vs TCP Date: Fri, 29 Jul 2005 11:06:22 -0500 Devan, I'm still poking around for a more authoritative answer, but I don't believe that there is a 'server side' setting for changing that behavior. To really understand why, think about who needs to authenticate with who. It's not the server starting the conversation ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Friday, July 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] UDP vs TCP Hi, Does anyone know if its possible to tweak a domain controller so that authentication requests from a client that exceed 2000 bytes (not sure if thats the default for Windows 2000 domains XP) may be authenitcated by the DC. I know its possible with a regisrty hack on the client by either bumping that value or telling the client to just use TCP. We have a SOHO situation that utilizes Nortel VPN appliances and hence the authentication issue. This is a temporary location but in our business this is a frequent request. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GPO to enable a service at restart
Hi, We need the Fast User Switching Service to start automatically when we restart a client but of course this is disabled as it is part of a domain. Is there anyway to use GPO, scripts etc to exert a control over Windows Services? Thanks guys,
RE: [ActiveDir] GPO to enable a service at restart
A startup script is probably your best bet. Alternatively, you can use Services Security policy to change the startup state of a service, which will give you what you need at reboot. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David J. KinsellaSent: Friday, July 29, 2005 9:48 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO to enable a service at restart Hi, We need the Fast User Switching Service to start automatically when we restart a client but of course this is disabled as it is part of a domain. Is there anyway to use GPO, scripts etc to exert a control over Windows Services? Thanks guys,
Re: [ActiveDir] OT: MIIS, ADAM, AD
MIIS looks pretty complex, but it is something that can be figured out (I've gotten it working so it can't be that hard ;) The thing I found with MIIS is that things aren't where you think they would be, and some switches/options do things that you're not expecting. There are some good Q articles about getting MIIS working, but I never looked for a book or anything. My question is: what are you going to be using the central LDAP directory for? Phil On 7/29/05, Ken Cornetet [EMAIL PROTECTED] wrote: We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A first glance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM proxy users leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section as to why. Unfortunately, the next section doesn't explain why not to use them. Anybody know why proxy user objects are evil? Are there any good MIIS for dummies type documentation around? Any good ADAM and/or MIIS mailing lists? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security Groups vs. Distribution Groups
each group in AD (distribution and/or security) must have a unique samaccountname (pre-windows 2000 name) within the domain and must have a unique common name within a container/OU. Your groups have the same common name and they can exist because they are in separate OUs. That's OK. Moving one of the groups to the same OU as the other is not possible because you would then violate the rule mentioned above. I'm also sure they have different samaccountnames although having the same common name. otherwise they could not exist within the same domain. Changing the group type to security will only have impact on the security token of its members. The impact I'm talking about is that each member will have an additional sid in its access token. Don't forget each distribution group has a sid also, although not used and inactive. As soon as you change the group type to security it will become active Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Christine Allen Sent: Fri 7/29/2005 4:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Security Groups vs. Distribution Groups We are running 2000 AD. I have two groups named the same. One group is a security group and one is a distribution. They are in different OU's. Can having a Management security group cause some type of issue with a Management Distribution group in ad? The Management distirbution group will change to a security group. Could it be becase they have the same name? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] _gc and _ldap SRV records
the difference is the number of records in the zone that are replicated or transfered. Creating a separate zone for _MSDCS.ForestRootDomain.tld only replicates or transfers that contents instead of replicating everything in ForestRootDomain.tld I'm not sure if I understand your questionbut I'll try to answer it. In w2k you create an AD-I zone for _MSDCS.ForestRootDomain.tld on the DCs/DNS servers of the forest root domain. On DNS servers (not specificly DCs) in the other domains you create a secondary DNS zone for the zone _MSDCS.ForestRootDomain.tld. Is this the answer you were looking for? Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Fri 7/29/2005 5:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _gc and _ldap SRV records Whats the difference or adverse affects of just making a secondary copy of the root domain zone on every dns server in a multi domain forest as that zone contains the _MSDC.forestrootdomaim zone instead of partitioning just the _MSDC zone? Also, how do you do that in win2k because windows dns doesn't seem to treat _MSDC as a real zone file or domain but like a subfolder? Thanks -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Friday, July 29, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _gc and _ldap SRV records creating a separate zone for _MSDCS.ForestRootDomain.tld is especially interesting in multiple domain forests. In single domain forests it is not needed as all DCs in the domain with DNS already get the info through the zone ForestRootDomain.tld. Although not needed I always configure a separate zone for _MSDCS.ForestRootDomain.tld if someone for some reason wants to create an additional domain in the forest #JORGE# From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 7/29/2005 3:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _gc and _ldap SRV records So reading this... am I correct in this interpretation? I should remove the _msdcs domain from xyz.root and instead create a new zone called _msdcs, cycle netlogon to force registration of records? :m:dsm:cci:mvp From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, July 28, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] _gc and _ldap SRV records Each DNS zone representing an AD domain has a _MSDCS DNS subdomain. All DCs register belonging to a certain domain register their DNS domain wide records in their own _MSDCS DNS subdomain. However each DC and GC also register forest wide records (e.g. CNAME and _GC, etc). It is a best practice to create a separate DNS zone for _MSDCS.ForestRootDomain.tld. In W2K3 it is also a best-practice to set the replication scope for that zone to all DCs with DNS in the forest. In W2K this is not possible so in the forest root domain make the zone AD-I and for the DNS servers in the other domains in the forest create a secondary zone of this zone. And yes, assuming replication is complete all the records in the _MSDCS.ForestRootDomain.tld zone should be on each DNS server that hosts this zone Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Thu 7/28/2005 8:52 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] _gc and _ldap SRV records A question about DNS SRV records for my DCs and Global Catalog servers...should every AD-integrated DNS server in my entire forest have _gc and _ldap records for every GC and DC in the forest? It looks like the records listed vary from one domain to another in my DNS, and I wonder if they should all have the same records regardless of the forest domain the DNS server is in Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info :
RE: [ActiveDir] OT: MIIS, ADAM, AD
I have MIIS, but have not used it for our OpenLDAP to Active Directory Sync. Before I got MIIS I wrote python scripts to sync our LDAP with our Active Directory. I don't sync passwords via the scripts, because we I have another PHP script that sets the user password on both directories when changed. I don't really plan on switching this over to MIIS because my python scripts are working so well and are so easy to manage. But playing with MIIS It really should be too hard to setup the sync with it. I also use python scripts to sync our Student Information system with the openLDAP. I'm not really a programmer and learned python just for this project, had the scripts working in less than a week. If you want some info or code samples just let me know. Thanks, -- Matt Brown [EMAIL PROTECTED] Consultant for Student Technology Fee website: http://techfee.ewu.edu/ +--+ | 509.359.6972 ph. - 509.359.7087 fx | 307 MONROE HALL | Cheney, WA 99004 +--+ _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Friday, July 29, 2005 8:46 AM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] OT: MIIS, ADAM, AD Hello, We use MIIS 2003 to synchronise users identity between AD2003, openldap, Oracle 9i, and that works pretty good. MIIS includes preintegrated directory to manage such as ADAM, novell edirectory, Active Directory, DSML, Oracle 9i, and many more called Management Agents (MA) or connectors. With the MIIS 2003 Sp1, u could easily synchronize users passwords between differents directories but always in the way below: -- User password changes (via MMC ADUC, ctrl+alt+Del, web) are detected by AD 20003 DCs, these changes are pushed to your MIIS server which pushes passwords to your configured Directories: in your case ADAM. And that works great ! All passwords are crypted between synchronisations. BUT MIIS have those inconvenients: 1) It costs . The price is per processor (~12000 euros/processor pretty equivalent to 1 dollars/processors). 2) u must have very good knowledge in dev. : VB.net and c# are the dev environnement for MIIS. These links will help u to better understand the product. Yahoo newsgroup: http://groups.yahoo.com/group/MMSUG/ u have to sing in in before. http://www.activeidm.com/servlet/constructor.includeHTTP?iwebsiteID=8627 http://www.activeidm.com/servlet/constructor.includeHTTP?iwebsiteID=8627is ectionTypeID=1isectionID=43519 isectionTypeID=1isectionID=43519 http://www.microsoft.com/windowsserversystem/miis2003/support/default.mspx A MS tutorial: http://www.microsoft.com/downloads/details.aspx?FamilyId=DADC5021-222B-4AF7- 8C58-2227C358756F http://www.microsoft.com/downloads/details.aspx?FamilyId=DADC5021-222B-4AF7 -8C58-2227C358756Fdisplaylang=en#filelist displaylang=en#filelist ...and a good practice on how configure MIIS to synchronize with ADAM, but it is in french .. :( http://www.techheadbrothers.com/DesktopDefault.aspx?tabindex=1 http://www.techheadbrothers.com/DesktopDefault.aspx?tabindex=1tabid=7CatI d=6 tabid=7CatId=6 see MIIS pas à pas, Partie 1/3 MIIS pas à pas, Partie 2/3 and MIIS pas à pas, Partie 3/3 A good webcast about the MMS which is the old version, but a good presentation of how MIIS works http://support.microsoft.com/default.aspx?kbid=324572 I do not know what is ADAM proxy users and how u can use it to achieve your goal. Maybe someone in this could help u... Good luck :) Cheers, Yann _ De: [EMAIL PROTECTED] de la part de Ken Cornetet Date: ven. 29/07/2005 16:03 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] OT: MIIS, ADAM, AD We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A first glance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM proxy users leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section
[ActiveDir] Question about Kerberos Errors
I have a question about Kerberos that I hope you guy can help me with. In our environment, our client base (servers and workstations) has a different DNS name than the domain where their authenticating DCs reside. They are members of the same Active Directory domain, but due to decisions made a long time ago, their DNS information does not match the AD domain where they reside. As an example: DC1 is in CHILD.DOMAIN.COM but all application servers are listed (in DNS only) as being in DOMAIN.COM even though their computer objects are in CHILD.DOMAIN.COM. This is for ease of lookup, I'm told. Additionally, workstations have a location code added so that they show up as LOCATION.DOMAIN.COM. Both the servicePrincipalName and the dNSHostName report the server and workstation objects as being in the domain mentioned above. I have checked, and the primary DNS suffix for each machine maps to the dNSHostName. So, my workstation has the following SPN: HOST/workstationname.LOCATION.DOMAIN.COM HOST//workstationname And one of our Exchange Servers has the following SPN: SMTPSVC/servername SMTPSVC/servername.DOMAIN.COM HOST/servername HOST/servername.DOMAIN.COM Now the problem: We are getting floods of Audit Failures (Event ID 675 and 676) and also NETLOGON failures (5722, 5723, and 5790) on a regular basis on all of our DCs. In some cases, a single computer will log literally thousands of these events and still not get locked out (which I would expect if they are attempting to authenticate and failing). It has been hinted to me multiple times that one of the reasons we are experiencing this is due to the way our servers/workstations are set up in DNS. Can someone confirm or deny this for me? If there is any published literature that I can look at or show my management, that would also be very helpful. Thanks! Scott Rachui
RE: [ActiveDir] OT: MIIS, ADAM, AD
One of the best MIIS lists I've found is [EMAIL PROTECTED] As far as books, haven't found one. I think MIIS now finally offered as a MOC course. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Friday, July 29, 2005 1:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: MIIS, ADAM, AD MIIS looks pretty complex, but it is something that can be figured out (I've gotten it working so it can't be that hard ;) The thing I found with MIIS is that things aren't where you think they would be, and some switches/options do things that you're not expecting. There are some good Q articles about getting MIIS working, but I never looked for a book or anything. My question is: what are you going to be using the central LDAP directory for? Phil On 7/29/05, Ken Cornetet [EMAIL PROTECTED] wrote: We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A first glance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM proxy users leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section as to why. Unfortunately, the next section doesn't explain why not to use them. Anybody know why proxy user objects are evil? Are there any good MIIS for dummies type documentation around? Any good ADAM and/or MIIS mailing lists? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Search User Accounts for Password Reset Date
Title: Search User Accounts for Password Reset Date I know it's possible to search user accounts for the Last logged in date but is it possible to generate a list of the date and time each user account is set to expire? On our old domain, Novell (gag) would display the time and date that a user's password was to expire and I'd like to see if we can view this kind of information in AD. I'd really like to get a list of all our user accounts and then the password expiration date so I can sort and print it for our management team. Bonnie Pohlschneider Copeland Corporation 937-493-2333 PH 718-887-7441 FX
[ActiveDir] Urgh... troubleshooting....
Greetings, I've been a lurker here for quite some time and have had a relatively quiet AD until recently. We have a small network with 2K servers and a mix of 2K and XP2 workstations. Until recently, everything was find. Then Something Happened. I'm not sure what started the ball rolling, but it's certainly rolling now. I have one server that is listed in the AD and DNS as a DC, but it won't replicate AD either direction. I've spent a couple of hours doing some web surfing and initial troubleshooting, but I've had less than stellar success. (at one point in time it was working fine, since I have a lot of older AD information on the problem server) I've run DnsLint and all the DNS entries look good. When I do a 'net view \\servername' from the DC that does not have up to date AD information, I get a message back, access denied, and a corresponding entry in the security log about a failure audit of the server I'm attempting to view. But when I do the same thing and use an IP address instead of a server name, the net view information displays. Another symptom is printer connections and drive mapping. If I'm at the server with the out of date AD information, I'm getting an 'access denied' message when attempting to connect to a network printer or map a network drive. All of the steps outlined above work fine when initiated from any of the other servers. It's almost like the server with the out of date AD information is allowing access, but the rest of the servers in the organization won't let *that* particular server have access to any domain related stuff, such as printers and network shares. I can't even run dcpromo and remove AD from the affected server because it asks for some sort of authorization from other DC's located in the organization, but the other DC's won't allow it to access information. I'm assuming it's trying to tell the other DC's to remove any pertinent entries from the AD in regards to the server that's attempting to have it's AD removed Does anyone have any links to places I can continue to search for troubleshooting information? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgh... troubleshooting....
May look strange but are you running McAfee 8.0i?? Got someone that had something similar and the TDI driver of VS8 was the culprit... -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de vex Envoyé : Friday, July 29, 2005 4:15 PM À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Urgh... troubleshooting Greetings, I've been a lurker here for quite some time and have had a relatively quiet AD until recently. We have a small network with 2K servers and a mix of 2K and XP2 workstations. Until recently, everything was find. Then Something Happened. I'm not sure what started the ball rolling, but it's certainly rolling now. I have one server that is listed in the AD and DNS as a DC, but it won't replicate AD either direction. I've spent a couple of hours doing some web surfing and initial troubleshooting, but I've had less than stellar success. (at one point in time it was working fine, since I have a lot of older AD information on the problem server) I've run DnsLint and all the DNS entries look good. When I do a 'net view \\servername' from the DC that does not have up to date AD information, I get a message back, access denied, and a corresponding entry in the security log about a failure audit of the server I'm attempting to view. But when I do the same thing and use an IP address instead of a server name, the net view information displays. Another symptom is printer connections and drive mapping. If I'm at the server with the out of date AD information, I'm getting an 'access denied' message when attempting to connect to a network printer or map a network drive. All of the steps outlined above work fine when initiated from any of the other servers. It's almost like the server with the out of date AD information is allowing access, but the rest of the servers in the organization won't let *that* particular server have access to any domain related stuff, such as printers and network shares. I can't even run dcpromo and remove AD from the affected server because it asks for some sort of authorization from other DC's located in the organization, but the other DC's won't allow it to access information. I'm assuming it's trying to tell the other DC's to remove any pertinent entries from the AD in regards to the server that's attempting to have it's AD removed Does anyone have any links to places I can continue to search for troubleshooting information? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgh... troubleshooting....
Michel- Care to elaborate? We have 8.0i in the lab and I haven't noticed any ill effects on the DC's but this certainly caught my eye as we are scheduled to move it over to production soon. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, July 29, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgh... troubleshooting May look strange but are you running McAfee 8.0i?? Got someone that had something similar and the TDI driver of VS8 was the culprit... -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de vex Envoyé : Friday, July 29, 2005 4:15 PM À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Urgh... troubleshooting Greetings, I've been a lurker here for quite some time and have had a relatively quiet AD until recently. We have a small network with 2K servers and a mix of 2K and XP2 workstations. Until recently, everything was find. Then Something Happened. I'm not sure what started the ball rolling, but it's certainly rolling now. I have one server that is listed in the AD and DNS as a DC, but it won't replicate AD either direction. I've spent a couple of hours doing some web surfing and initial troubleshooting, but I've had less than stellar success. (at one point in time it was working fine, since I have a lot of older AD information on the problem server) I've run DnsLint and all the DNS entries look good. When I do a 'net view \\servername' from the DC that does not have up to date AD information, I get a message back, access denied, and a corresponding entry in the security log about a failure audit of the server I'm attempting to view. But when I do the same thing and use an IP address instead of a server name, the net view information displays. Another symptom is printer connections and drive mapping. If I'm at the server with the out of date AD information, I'm getting an 'access denied' message when attempting to connect to a network printer or map a network drive. All of the steps outlined above work fine when initiated from any of the other servers. It's almost like the server with the out of date AD information is allowing access, but the rest of the servers in the organization won't let *that* particular server have access to any domain related stuff, such as printers and network shares. I can't even run dcpromo and remove AD from the affected server because it asks for some sort of authorization from other DC's located in the organization, but the other DC's won't allow it to access information. I'm assuming it's trying to tell the other DC's to remove any pertinent entries from the AD in regards to the server that's attempting to have it's AD removed Does anyone have any links to places I can continue to search for troubleshooting information? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgh... troubleshooting....
What happens when you run DCDIAG from the broken DC ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, July 29, 2005 1:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgh... troubleshooting Michel- Care to elaborate? We have 8.0i in the lab and I haven't noticed any ill effects on the DC's but this certainly caught my eye as we are scheduled to move it over to production soon. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, July 29, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgh... troubleshooting May look strange but are you running McAfee 8.0i?? Got someone that had something similar and the TDI driver of VS8 was the culprit... -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de vex Envoyé : Friday, July 29, 2005 4:15 PM À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Urgh... troubleshooting Greetings, I've been a lurker here for quite some time and have had a relatively quiet AD until recently. We have a small network with 2K servers and a mix of 2K and XP2 workstations. Until recently, everything was find. Then Something Happened. I'm not sure what started the ball rolling, but it's certainly rolling now. I have one server that is listed in the AD and DNS as a DC, but it won't replicate AD either direction. I've spent a couple of hours doing some web surfing and initial troubleshooting, but I've had less than stellar success. (at one point in time it was working fine, since I have a lot of older AD information on the problem server) I've run DnsLint and all the DNS entries look good. When I do a 'net view \\servername' from the DC that does not have up to date AD information, I get a message back, access denied, and a corresponding entry in the security log about a failure audit of the server I'm attempting to view. But when I do the same thing and use an IP address instead of a server name, the net view information displays. Another symptom is printer connections and drive mapping. If I'm at the server with the out of date AD information, I'm getting an 'access denied' message when attempting to connect to a network printer or map a network drive. All of the steps outlined above work fine when initiated from any of the other servers. It's almost like the server with the out of date AD information is allowing access, but the rest of the servers in the organization won't let *that* particular server have access to any domain related stuff, such as printers and network shares. I can't even run dcpromo and remove AD from the affected server because it asks for some sort of authorization from other DC's located in the organization, but the other DC's won't allow it to access information. I'm assuming it's trying to tell the other DC's to remove any pertinent entries from the AD in regards to the server that's attempting to have it's AD removed Does anyone have any links to places I can continue to search for troubleshooting information? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgh... troubleshooting....
Anything in the event logs? Is it possible that it was messed up by a virus, see odd processes running? Maybe try a root kit revealer. Were patches recently applied? Is the clock in sync with the other DCs? Thanks, JD -Original Message- From: vex [mailto:[EMAIL PROTECTED] Sent: Friday, July 29, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Urgh... troubleshooting Greetings, I've been a lurker here for quite some time and have had a relatively quiet AD until recently. We have a small network with 2K servers and a mix of 2K and XP2 workstations. Until recently, everything was find. Then Something Happened. I'm not sure what started the ball rolling, but it's certainly rolling now. I have one server that is listed in the AD and DNS as a DC, but it won't replicate AD either direction. I've spent a couple of hours doing some web surfing and initial troubleshooting, but I've had less than stellar success. (at one point in time it was working fine, since I have a lot of older AD information on the problem server) I've run DnsLint and all the DNS entries look good. When I do a 'net view \\servername' from the DC that does not have up to date AD information, I get a message back, access denied, and a corresponding entry in the security log about a failure audit of the server I'm attempting to view. But when I do the same thing and use an IP address instead of a server name, the net view information displays. Another symptom is printer connections and drive mapping. If I'm at the server with the out of date AD information, I'm getting an 'access denied' message when attempting to connect to a network printer or map a network drive. All of the steps outlined above work fine when initiated from any of the other servers. It's almost like the server with the out of date AD information is allowing access, but the rest of the servers in the organization won't let *that* particular server have access to any domain related stuff, such as printers and network shares. I can't even run dcpromo and remove AD from the affected server because it asks for some sort of authorization from other DC's located in the organization, but the other DC's won't allow it to access information. I'm assuming it's trying to tell the other DC's to remove any pertinent entries from the AD in regards to the server that's attempting to have it's AD removed Does anyone have any links to places I can continue to search for troubleshooting information? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Urgh... troubleshooting....
Make sure the DNs settings on the Server are correct in the up properties. If one of your servers or dc's is looking at wrong dns then you will have a problem. I Separately I had a similar problem in late April when I applied a security patch from MS. It fubared the tcpip stack with connection issues. It was fixed in June. Jim Katoe WW Directory Services Manager GroupM 917 520 0119 - Original Message - From: ActiveDir-owner Sent: 07/29/2005 04:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgh... troubleshooting Anything in the event logs? Is it possible that it was messed up by a virus, see odd processes running? Maybe try a root kit revealer. Were patches recently applied? Is the clock in sync with the other DCs? Thanks, JD -Original Message- From: vex [mailto:[EMAIL PROTECTED] Sent: Friday, July 29, 2005 3:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Urgh... troubleshooting Greetings, I've been a lurker here for quite some time and have had a relatively quiet AD until recently. We have a small network with 2K servers and a mix of 2K and XP2 workstations. Until recently, everything was find. Then Something Happened. I'm not sure what started the ball rolling, but it's certainly rolling now. I have one server that is listed in the AD and DNS as a DC, but it won't replicate AD either direction. I've spent a couple of hours doing some web surfing and initial troubleshooting, but I've had less than stellar success. (at one point in time it was working fine, since I have a lot of older AD information on the problem server) I've run DnsLint and all the DNS entries look good. When I do a 'net view \\servername' from the DC that does not have up to date AD information, I get a message back, access denied, and a corresponding entry in the security log about a failure audit of the server I'm attempting to view. But when I do the same thing and use an IP address instead of a server name, the net view information displays. Another symptom is printer connections and drive mapping. If I'm at the server with the out of date AD information, I'm getting an 'access denied' message when attempting to connect to a network printer or map a network drive. All of the steps outlined above work fine when initiated from any of the other servers. It's almost like the server with the out of date AD information is allowing access, but the rest of the servers in the organization won't let *that* particular server have access to any domain related stuff, such as printers and network shares. I can't even run dcpromo and remove AD from the affected server because it asks for some sort of authorization from other DC's located in the organization, but the other DC's won't allow it to access information. I'm assuming it's trying to tell the other DC's to remove any pertinent entries from the AD in regards to the server that's attempting to have it's AD removed Does anyone have any links to places I can continue to search for troubleshooting information? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Intra-forest migration
We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477
[ActiveDir] Advice
I'm starting a new job in a week as a AD/Exchange engineer(I posted about my anxieties before on the list). This company used to outsource all their AD/Exchange infrastructure and now they want to take control of it. As it stands, their relationship with the outsourcing firm is rocky. While the DC's and Exchange server are physically in the company, no one has Domain or Enterprise admin rights. And no one, including me, is about to attempt elevation of privilges with all the numerous ways to hack a DC when you have physical access. That would be in poor taste. My questions to the list are, if you were coming into such an enviorment, what are the first things you would do and look for? How much as a regular user can you glean of the AD/Exchange enviorment and what would be your first steps? Thanks very much. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Urgh... troubleshooting....
Bruyere, Michel wrote: May look strange but are you running McAfee 8.0i?? Got someone that had something similar and the TDI driver of VS8 was the culprit... No McAfee products on site, but I *did* just upgrade that server to Pervasive 8. But according to my notes, the problem was occuring prior to the Pervasive upgrade. --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgh... troubleshooting....
Found this, under Troubleshooting Active Directory : http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/d87e1c8f-2e6b-4ce3-b72b-7108acc6aecb.mspxMore to the point there are some special security checks in DCDIAG for 2003 SP1 that may be able to help. From the link above: An "Access denied" or other security error has caused replication problems Updated: March 2, 2005 Replication problems that have security causes can be tested and diagnosed by using the version of Dcdiag.exe that is included with Windows Support Tools in WindowsServer2003 Service Pack1 (SP1). Cause A replication destination domain controller cannot contact its source replication partner to get ActiveDirectory updates as a result of one or more security errors occurring on the connection between the two domain controllers. Top of page Solution Run the replication security error diagnostic test that is available in the version of Dcdiag in Windows Support Tools that is included in WindowsServer2003SP1. Test a Domain Controller for Replication Security Errors You can test any or all domain controllers in your forest for security errors. Requirements Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group to test a domain controller in your domain or a member of the Enterprise Admins group to test a domain controller in another domain. Tool: Dcdiag.exe (Windows Support Tools) in WindowsServer2003SP1 Operating system: Although you can run the enhanced version of Dcdiag on computers running WindowsXP Professional and WindowsServer2003 with no service pack installed, to run the new replication security test (/test:CheckSecurityError), you must run Dcdiag on a domain controller running WindowsServer2003 with SP1. You can run the new Dcdiag replication security tests against domain controllers that are running the following operating systems: Windows2000Server with Service Pack3(SP3) Windows2000Server with Service Pack4(SP4) WindowsServer2003 WindowsServer2003 with SP1 To test a domain controller for replication security errors 1. At a command prompt, type the following command, and then press ENTER: dcdiag /test:CheckSecurityError /s:DomainControllerName DomainControllerName The Domain Name System (DNS) name, network basic input/output system (NetBIOS) name, or distinguished name of the domain controller on which you want to test If you do not use the /s: switch, the test is run against the local domain controller. You can also test all domain controllers in the forest by using /e: instead of /s:. 2. Copy the report into Notepad or an equivalent text editor 3. Scroll to the Summary table near the bottom of the Dcdiag log file. 4. Note the names of all domain controllers that reported Warn or Fail status in the Summary table. 5. Find the detailed breakout section for the problem domain controller by searching on the string DC: DomainControllerName. 6. Make the required configuration changes on the domain controllers. Rerun Dcdiag /test:CheckSecurityError with the /e: or /s: switch to validate the configuration changes. Test the Connection Between Two Domain Controllers for Replication Security Errors You can test the connection between two domain controllers in your forest for replication security errors. The domain controller that represents the source of the inbound connection does not have to be an existing source to run this test; that is, a connection object from that domain controller does not have to exist on the destination domain controller. The test is useful in the following scenarios: A connection exists between a source and a destination, and you receive a security error. A connection should be created automatically by the Knowledge Consistency Checker (KCC) and you want to test why the connection does not exist. You are trying to create a connection between two domain controllers and you receive a security error. You want to determine whether a connection could be created if you wanted to add one on this destination from the specified source. Requirements Administrative credentials: To complete this procedure, you must be a member of the Domain
RE: [ActiveDir] Advice
My own opinion is that the organization should demand from the consulting firm the administrator password or an equal account immediately (as in, while they are on the phone with the person before even hanging up). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, July 29, 2005 6:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Advice I'm starting a new job in a week as a AD/Exchange engineer(I posted about my anxieties before on the list). This company used to outsource all their AD/Exchange infrastructure and now they want to take control of it. As it stands, their relationship with the outsourcing firm is rocky. While the DC's and Exchange server are physically in the company, no one has Domain or Enterprise admin rights. And no one, including me, is about to attempt elevation of privilges with all the numerous ways to hack a DC when you have physical access. That would be in poor taste. My questions to the list are, if you were coming into such an enviorment, what are the first things you would do and look for? How much as a regular user can you glean of the AD/Exchange enviorment and what would be your first steps? Thanks very much. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Intra-forest migration
Weve been using the Quest migration suite lately and have had pretty good success the biggest selling point for me was that, unlike ADMT and the NetIQ (which are pretty much one in the same except NetIQ will let you undo and is supposed to actually work :D) was that it did a non-destructive migration ADMT/NetIQ is a lot like doing a movetree if it works, great, if not, youve got nothing to go back to.. Quest basically just does a copy of the object, which you can leave disabled in the target until youre ready to get the users using their new accounts. All of them should handle profile/permission migration though? I thought I remembered testing that last year when admt2.0 came out, but it was incredibly resource intensive and not necessarily reliable or scalable. neither Quest nor NetIQ are cheap though, and both bill per user migrated.. -- Rob Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher Sent: Friday, July 29, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Intra-forest migration We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477
Re: [ActiveDir] Advice
I second this. My first order of business would be to get a Domain/Enterprise admin account shortly followed by whatever documentation they have (or whatever they are willing to give you). The documentation will be light (or non-existant), but you should ask for it anyway. Phil On 7/29/05, Robert Williams (RRE) [EMAIL PROTECTED] wrote: My own opinion is that the organization should demand from the consulting firm the administrator password or an equal account immediately (as in, while they are on the phone with the person before even hanging up). Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, July 29, 2005 6:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Advice I'm starting a new job in a week as a AD/Exchange engineer(I posted about my anxieties before on the list). This company used to outsource all their AD/Exchange infrastructure and now they want to take control of it. As it stands, their relationship with the outsourcing firm is rocky. While the DC's and Exchange server are physically in the company, no one has Domain or Enterprise admin rights. And no one, including me, is about to attempt elevation of privilges with all the numerous ways to hack a DC when you have physical access. That would be in poor taste. My questions to the list are, if you were coming into such an enviorment, what are the first things you would do and look for? How much as a regular user can you glean of the AD/Exchange enviorment and what would be your first steps? Thanks very much. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Urgh... troubleshooting....
I've seen issues with McAfee both with the Buffer Overflow checker hanging DC's and with the scanner causing contention on the DIT files themselves that were solved once we rebooted and excluded those directories from the scan. If you're using a 3rd party backup tool that might be trying to hit the files that might be causing issues as well.. -- Rob Ryan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Friday, July 29, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgh... troubleshooting Michel- Care to elaborate? We have 8.0i in the lab and I haven't noticed any ill effects on the DC's but this certainly caught my eye as we are scheduled to move it over to production soon. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, July 29, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Urgh... troubleshooting May look strange but are you running McAfee 8.0i?? Got someone that had something similar and the TDI driver of VS8 was the culprit... -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de vex Envoyé : Friday, July 29, 2005 4:15 PM À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Urgh... troubleshooting Greetings, I've been a lurker here for quite some time and have had a relatively quiet AD until recently. We have a small network with 2K servers and a mix of 2K and XP2 workstations. Until recently, everything was find. Then Something Happened. I'm not sure what started the ball rolling, but it's certainly rolling now. I have one server that is listed in the AD and DNS as a DC, but it won't replicate AD either direction. I've spent a couple of hours doing some web surfing and initial troubleshooting, but I've had less than stellar success. (at one point in time it was working fine, since I have a lot of older AD information on the problem server) I've run DnsLint and all the DNS entries look good. When I do a 'net view \\servername' from the DC that does not have up to date AD information, I get a message back, access denied, and a corresponding entry in the security log about a failure audit of the server I'm attempting to view. But when I do the same thing and use an IP address instead of a server name, the net view information displays. Another symptom is printer connections and drive mapping. If I'm at the server with the out of date AD information, I'm getting an 'access denied' message when attempting to connect to a network printer or map a network drive. All of the steps outlined above work fine when initiated from any of the other servers. It's almost like the server with the out of date AD information is allowing access, but the rest of the servers in the organization won't let *that* particular server have access to any domain related stuff, such as printers and network shares. I can't even run dcpromo and remove AD from the affected server because it asks for some sort of authorization from other DC's located in the organization, but the other DC's won't allow it to access information. I'm assuming it's trying to tell the other DC's to remove any pertinent entries from the AD in regards to the server that's attempting to have it's AD removed Does anyone have any links to places I can continue to search for troubleshooting information? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Intra-forest migration
ADMT pretty much has the functionality of the good 3rd party migration tools as far as migrations and security translations go. Where the 3rd party tools shine is in complex migration schedules, migrations with complex servers (SQL, IIS etc.) and they tend to offer easier/better reporting/logging. What do you mean by profile? Do you mean my desktop profile (background, settings, my documents etc.)? If so then ADMT can translate those profiles the same as 3rd party tools can. Load up a test forest and play around with ADMT a bit; v2 is quite good for most cases. Phil On 7/29/05, Chris Flesher [EMAIL PROTECTED] wrote: We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Urgh... troubleshooting....
Original Message From: Figueroa, Johnny To: ActiveDir@mail.activedir.org Sent: Friday, July 29, 2005 3:24 PM Subject: RE: [ActiveDir] Urgh... troubleshooting Found this, under Troubleshooting Active Directory : http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/d87e1c8f-2e6b-4ce3-b72b-7108acc6aecb.mspx More to the point there are some special security checks in DCDIAG for 2003 SP1 that may be able to help. From the link above: Ah, those symptoms look very similar to what I described as well as what I saw when I ran DCDIAG. I'll try running it again on Monday with the switches outlined in the article to see if that'll help. I *did* find some other stuff broken in the AD that I wasn't aware of, but it wasn't anything breaking replication to a single server, more of just screwing things up on my part. Fixing those issues will probably ease server load a bit with less overhead busywork going on. thanks, --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: MIIS, ADAM, AD
There is a MOC course for MIIS and another one that touches on MIIS while going over Security and Access Management: 2731: Deploying and Managing Microsoft(r) Identity Integration Server 2003 http://www.microsoft.com/learning/syllabi/en-us/2731afinal.mspx 2804: Microsoft(r) Security Guidance Training IV http://www.microsoft.com/learning/syllabi/en-us/2804Afinal.mspx If you just want straight MIIS training then the first one is what you're looking for. Also, if you work for a MS Partner then I'd get ahold of your MS rep and see if perhaps there is an Internal MS course that partners can attend. I don't know if there are or not, but it might be worth looking in to if you want some additional courses beyond that 2731 MOC. Phil On 7/29/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: One of the best MIIS lists I've found is [EMAIL PROTECTED] As far as books, haven't found one. I think MIIS now finally offered as a MOC course. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Friday, July 29, 2005 1:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: MIIS, ADAM, AD MIIS looks pretty complex, but it is something that can be figured out (I've gotten it working so it can't be that hard ;) The thing I found with MIIS is that things aren't where you think they would be, and some switches/options do things that you're not expecting. There are some good Q articles about getting MIIS working, but I never looked for a book or anything. My question is: what are you going to be using the central LDAP directory for? Phil On 7/29/05, Ken Cornetet [EMAIL PROTECTED] wrote: We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A first glance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM proxy users leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section as to why. Unfortunately, the next section doesn't explain why not to use them. Anybody know why proxy user objects are evil? Are there any good MIIS for dummies type documentation around? Any good ADAM and/or MIIS mailing lists? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Intra-forest migration
The Quest tool copies the user? I didn't know that was possible, all Intraforest migrations I have seen have been moves. Phil On 7/29/05, Rob Ryan [EMAIL PROTECTED] wrote: We've been using the Quest migration suite lately and have had pretty good success – the biggest selling point for me was that, unlike ADMT and the NetIQ (which are pretty much one in the same except NetIQ will let you undo and is supposed to actually work :D) was that it did a non-destructive migration – ADMT/NetIQ is a lot like doing a movetree – if it works, great, if not, you've got nothing to go back to.. Quest basically just does a copy of the object, which you can leave disabled in the target until you're ready to get the users using their new accounts. All of them should handle profile/permission migration though? I thought I remembered testing that last year when admt2.0 came out, but it was incredibly resource intensive and not necessarily reliable or scalable. neither Quest nor NetIQ are cheap though, and both bill per user migrated.. -- Rob Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Flesher Sent: Friday, July 29, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Intra-forest migration We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477
Re: [ActiveDir] turn off replication to a DC in same site
Man, last night I must've been feeling brazen (or bored), because I usually don't tell customers about disabling replication, esp. not how to do in the entire forest in one whack ... esp. not on a forum ... some warnings last nights mail should've come with ... Warning 1: YOU MUST MUST MUST still let DCs replicate, _in both directions_, _on a regular basis_. The regularity of the basis is based on the fact that AD replication must always happen end-to-end in the forest within a tombstone lifetime or you end up with lingering objects. It can be very difficult to your get your forest into a consistent state again once you get lingering objects. By let DCs replicate, I mean reenable replication. If you were to get hit by a bus tomorrow, who would turn replication back on, to make sure this forest doesn't get lingering objects? Warning 2: You should of course know your AD replication topology, because if you for instance disable a DC in a forest with manual replication connections, OR disable a DC in a site, that is in a chain of sites, with no site linking bridging (IIRC), then you can schism your topology and make it so two whole sets of DCs can't talk to each other, instead of just the single DC you intended to cut off ... Warning 3: A word of caution on FSMO transfers ... FSMO transfers are done through replication, sooo be careful about transfering FSMOs across disabled DCs ... don't know if it will work, or not work, but you should understand a transfer of a FSMO implies replication of some subset of objects in a Naming Context ... so when doing a FSMO transfer you may not be isolating a couple DCs from each other, in the way you thought ... or maybe disable replication does shutdown FSMO transfer ... I don't know the behavior, but you should before you transfer FSMO like this in production, so you don't have any unexpected results ... Warning 3a: Oh and don't think you're so clever to instead seize the FSMO, b/c the FSMO seizure tries to do a transfer first, and I do not believe there is anyway to inhibit that behavior. Warning 4: There might be issues with cutting off the PDC emulator the mechanism other DCs use against the PDC to sync an account's current password on a bad password attempt. It might fail or it might work, and either way it turns out it might not have been what you want, so you should test which way it works, before you do it. I'm not really sure, that's SAM stuff ... I'm _not_ saying disabling replication is a bad idea, or isn't useful, but there are ways to make a mess of things for yourself. Probably other warnings I should've mentioned. Anyway, the option is somewhat expert. And like (at least the U.S.) court system, not knowing the law is no excuse, even if you unknowningly break the laws of replication, you'll get screwed in the ... Anyway, back to your question ... if you have the 3 DCs you implied below, and you disable the outbound replication of the other two DCs, that is fine, but then they won't replicate with each other either, which I didn't think was exactly what you wanted to achieve ... to elaborate ... So first remember AD replication is pull based ... there is no push based replication, a DC never foists changes on another DC, a DC must decide to ask for changes from another DC. Sometimes however a DC A will trigger another DC B to turn around and immediately request changes from DC A, and obviously this can look effectively like push based replication. But DC B can decide to ignore DC A's triggering action, which may happen today (?), or may happen in future releases ... OK, our AD replication basic's lesson aside, you can think of disabling outbound replication as really stopping a DC from giving recent changes out , i.e. it disables the DC from giving changes to other DCs when they pull from it. To approach it from an extremely practical scenario perspective... Scenario 1: If you want to keep some changes you're making to DC X, on DC X, until you're satisifed, you want to disable outbound replication on that DC. This allows the DC to stay abreast of the changes happening to the rest of the forest without injecting changes. Scenario 2: If you want to hold DC Y back in time from the rest of the forest, for say backup, or insurance purposes, then you want to disable inbound replication on that DC. This however doesn't stop a change made to DC Y from propagating to the rest of the forest. Scenario 3: For whatever reason, you want completely isolate DC Z so changes don't go out from the DC to the rest of the forest, and changes don't come in from the rest of the forest, then disable both inbound and outbound replication on that DC. Obviously, using disabled replication is very useful though, and if used properly (for which of course there is very little guidance), it can enable you superior control over your directory. If you didn't know or think of warning 1 2 off the top of your head, you probably haven't done
RE: [ActiveDir] OT: MIIS, ADAM, AD
I wonder whether anyone has tried the ADAM Synchronizer for similar scenarios: http://www.microsoft.com/downloads/details.aspx?familyid=06787254-d7f4-4fff-8e02-2609956cb19edisplaylang=en The documentation is pretty vague about the way the target objects are created. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, July 29, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: MIIS, ADAM, AD We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A firstglance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM proxy users leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section as to why. Unfortunately, the next section doesn't explain why not to use them. Anybody know why proxy user objects are evil? Are there any good MIIS for dummies type documentation around? Any good ADAM and/or MIIS mailing lists?
RE: [ActiveDir] Question about Kerberos Errors
This article may provide some help. The DNS suffix of the computer name of a new domain controller may not match the name of the domain after you install upgrade a Windows NT 4.0 Primary domain controller to Windows 2000 http://support.microsoft.com/default.aspx?scid=kb;en-us;257623 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rachui, ScottSent: Friday, July 29, 2005 1:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question about Kerberos Errors I have a question about Kerberos that I hope you guy can help me with. In our environment, our client base (servers and workstations) has a different DNS name than the domain where their authenticating DCs reside. They are members of the same Active Directory domain, but due to decisions made a long time ago, their DNS information does not match the AD domain where they reside. As an example: DC1 is in CHILD.DOMAIN.COM but all application servers are listed (in DNS only) as being in DOMAIN.COM even though their computer objects are in CHILD.DOMAIN.COM. This is for ease of lookup, I'm told. Additionally, workstations have a location code added so that they show up as LOCATION.DOMAIN.COM. Both the servicePrincipalName and the dNSHostName report the server and workstation objects as being in the domain mentioned above. I have checked, and the primary DNS suffix for each machine maps to the dNSHostName. So, my workstation has the following SPN: HOST/workstationname.LOCATION.DOMAIN.COM HOST//workstationname And one of our Exchange Servers has the following SPN: SMTPSVC/servername SMTPSVC/servername.DOMAIN.COM HOST/servername HOST/servername.DOMAIN.COM Now the problem: We are getting floods of Audit Failures (Event ID 675 and 676) and also NETLOGON failures (5722, 5723, and 5790) on a regular basis on all of our DCs. In some cases, a single computer will log literally thousands of these events and still not get locked out (which I would expect if they are attempting to authenticate and failing). It has been hinted to me multiple times that one of the reasons we are experiencing this is due to the way our servers/workstations are set up in DNS. Can someone confirm or deny this for me? If there is any published literature that I can look at or show my management, that would also be very helpful. Thanks! Scott Rachui
RE: [ActiveDir] Advice
One thing, and one thing only that I can say to this: You cannot be responsible or be expected to run or manage this environment until you take control of the DCs and REMOVE any other principal from ALL DC and Exchange related groups - and add yourself to these groups (at least initially - we can discuss later what the real action will be in time). If you cannot do this, your new management is not empowering you to do your job and the outsourcers still own the domain and the e-mail servers. End of story. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, July 29, 2005 5:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Advice I'm starting a new job in a week as a AD/Exchange engineer(I posted about my anxieties before on the list). This company used to outsource all their AD/Exchange infrastructure and now they want to take control of it. As it stands, their relationship with the outsourcing firm is rocky. While the DC's and Exchange server are physically in the company, no one has Domain or Enterprise admin rights. And no one, including me, is about to attempt elevation of privilges with all the numerous ways to hack a DC when you have physical access. That would be in poor taste. My questions to the list are, if you were coming into such an enviorment, what are the first things you would do and look for? How much as a regular user can you glean of the AD/Exchange enviorment and what would be your first steps? Thanks very much. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Search User Accounts for Password Reset Date
Determine the max time of the password in the password policy and retrieve the pwdLastSet attribute from each user. As the attribute pretends it is the moment the password was changes the last time Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 7/29/2005 9:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Search User Accounts for Password Reset Date I know it's possible to search user accounts for the Last logged in date but is it possible to generate a list of the date and time each user account is set to expire? On our old domain, Novell (gag) would display the time and date that a user's password was to expire and I'd like to see if we can view this kind of information in AD. I'd really like to get a list of all our user accounts and then the password expiration date so I can sort and print it for our management team. Bonnie Pohlschneider Copeland Corporation 937-493-2333 PH 718-887-7441 FX This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. inline: winmail.dat
RE: [ActiveDir] Intra-forest migration
when doing intra forest migrations some tools are destructive menaing the old user account is deleted before the new one is created. Reason is with a intra forest migration the GUID does not change (SID does) the problem with this is it does not provide fallback. In fact it is a MOVE. As I know, Domain Migration Wizard from Quest does a copy and thus providing for fallback concerning the user account which is a pro. There also cons when thinking about profiles, when thinking copy compared to move. It all depends on what you want and like best Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Chris Flesher Sent: Sat 7/30/2005 12:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Intra-forest migration We are trying to reorganize our forest and move accounts to one domain with multiple child resource domains, mostly for political reasons that most Universities are familiar with. What tool(s) are available besides ADMTv2 to migrate users from one domain to another within the same forest? ADMT does not copy profiles as far as I know. My biggest issue is not having enough staff to touch all the desktops in one weekend, and hiring temps is probably out as well. Would it be difficult to script something to migrate profiles? Has anyone tried to do this themselves? Thanks as always. This list is a real help. Chris Flesher The University of Chicago NSIT/DCS (773)-834-8477 This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. inline: winmail.dat
RE: [ActiveDir] Advice
the first thing that comes up is: who is able to access a DC (as in logon locally or through TS). I'm not going forward with I want to say, because I don't want to give wrong ideas! Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Sat 7/30/2005 12:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Advice I'm starting a new job in a week as a AD/Exchange engineer(I posted about my anxieties before on the list). This company used to outsource all their AD/Exchange infrastructure and now they want to take control of it. As it stands, their relationship with the outsourcing firm is rocky. While the DC's and Exchange server are physically in the company, no one has Domain or Enterprise admin rights. And no one, including me, is about to attempt elevation of privilges with all the numerous ways to hack a DC when you have physical access. That would be in poor taste. My questions to the list are, if you were coming into such an enviorment, what are the first things you would do and look for? How much as a regular user can you glean of the AD/Exchange enviorment and what would be your first steps? Thanks very much. -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. inline: winmail.dat
RE: [ActiveDir] OT: MIIS, ADAM, AD
the only way I know of with the AD/AM sync is from AD to AD/AM and not the other way around. #JORGE# From: [EMAIL PROTECTED] on behalf of Guy Teverovsky Sent: Sat 7/30/2005 1:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: MIIS, ADAM, AD I wonder whether anyone has tried the ADAM Synchronizer for similar scenarios: http://www.microsoft.com/downloads/details.aspx?familyid=06787254-d7f4-4fff-8e02-2609956cb19edisplaylang=en The documentation is pretty vague about the way the target objects are created. Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, July 29, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: MIIS, ADAM, AD We have an upcoming project which will require an LDAP directory containing both our internal users, and our extranet users. Currently, our internal users are in one AD domain, the extranet users are in another. The domains are in separate forests, and there are no trusts. My plan is to use ADAM for the central LDAP directory. However, I'm on the horns of an enema, um, I mean dilemma on how to sync ADAM to the two domains. A first glance would suggest MIIS. However, MIIS looks pretty complicated, and difficult to configure. I'm considering writing my own sync code since the task at hand is relatively straight-forward. Passwords will be a bit of a problem, but not unworkable. We use Psynch to maintain our internal passwords, so I can have it change the ADAM passwords at the same time it changes the internal AD passwords. The extranet users change their password via an existing web app, so having it change the ADAM passwords won't be an issue. Reading about ADAM proxy users leads me to believe they'd be a perfect fit as the object type to use for our internal users (authentication is relayed to AD thus negating the need to sync passwords). However, the ADAM tech ref says proxy users should only be used as a last resort, and to refer to the next section as to why. Unfortunately, the next section doesn't explain why not to use them. Anybody know why proxy user objects are evil? Are there any good MIIS for dummies type documentation around? Any good ADAM and/or MIIS mailing lists? This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. inline: winmail.dat